CarGurus Data Breachcheck your eligibility
In February 2026, online automotive marketplace CarGurus was reportedly targeted by the cybercrime group known as ShinyHunters. Reportedly, the attackers claim to have gained access to 12.5 million customer accounts, which is key to their typical “pay or leak” extortion strategy.
We’ve partnered with KP Law, a specialist law firm for data breach claims. KP Law is exploring a potential group action claim against CarGurus. You can check eligibility for a potential data breach claim. If eligible, you can sign up to claim with KP Law. If enough claimants come together, KP Law will let you know and fight to secure compensation on a NO-WIN, NO-FEE* basis.
The first step in getting compensation
Sign up for a potential CarGurus data breach claim to register your interest to be notified if the claim moves forward.
THE FACTS SO FAR
What do we know about the CarGurus data breach?
In February 2026, online automotive marketplace CarGurus was reportedly targeted by the cybercrime group ShinyHunters, who claim to have accessed internal systems using sophisticated voice phishing ('vishing') techniques.
The attackers claim to have compromised up to 1.7 million private company records, including sensitive customer information and internal data.
According to reports, a 6.1GB archive was discovered on the dark web. This archive is thought to have contained a leaked database with up to 12.5 million email addresses associated with CarGurus customers, along with personal identifiers such as device information and car finance pre-qualification data.
Eligible individuals whose data was exposed in the data breach can sign up for the potential claim and register their interest in a potential group action claim for compensation.
FREQUENTLYASKED QUESTIONS
CarGurus is an automotive shopping website headquartered in the USA that compares local dealerships on behalf of consumers.
In February 2026, a cybercriminal group known as ShinyHunters claimed to have accessed CarGurus internal systems, likely through a method known as “vishing”, or voice phishing, where the criminal calls an employee of a company posing as a member of the IT team. They will ask the employee for passwords or other sensitive information that can help them gain access to wider company systems.
After the ShinyHunters group gained access to CarGurus systems, they accessed 1.7 million private company records and threatened to release the data publicly unless a ransom was paid.
Sometime later, a 6.1GB archive was leaked on the dark web, containing up to 12.5 million email addresses of CarGurus customers.
CarGurus posted information on their website for affected customers. You can find more details provided by CarGurus on their official support pages.
Your dealership should have contacted you if your data was accessed.
A group action claim is where a group of people – sometimes even thousands of people – have been affected by the same issue. Group action cases are also known as class actions, multi-claimant, or multi-party actions.
There are no upfront costs to join a claim. However, if KP Law pursue a claim on your behalf and that claim is successful, you may have to pay a ‘success fee’. This fee is taken from the compensation awarded to you. At KP Law, their success fee is competitive, and they’ll make sure you are fully informed about any potential costs before you enter into an agreement. If you lose, you won’t have to pay a penny.
Unfortunately, as a business entity, the dealerships themselves are not within the scope of our claim. You may be able to find support and file a complaint on the Information Commissioners Office (ICO) website here:https://ico.org.uk/.